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DE S CRIPTION 

DATA PROCESSING METHOD, PROGRAM OF THE SAME, AND DEVICE 
OF THE SAME 

BACKGROUND OF THE INVENTION 

TECHNICAL FIELD l. Field of the Invention 

The present invention relates to a data processing 
method for performing predetermined processing based on 
authentication results, a program of the same, and a 
device of the same. 

BACKGOUND ART 2 . Background Art 

There is a system where axx authenticating side 
(authenticating mecuis) confirms the legitimacy of an 
authenticated side (means to be authenticated) , then 
executes processing authorized to the authenticated side. 

In such a system, for example, the authenticating 
side holds mutual authentication key data for all 
authenticated sides and selects the mutual authentication 
key data corresponding to an authenticatjbnged side to 
perform the mutual authentication for each 
authenticat^nged side • 

Further, when confirming the legitimacy of the 
means to be authenticated by the mutual authentication. 



the authenticating side specifies processing authorized 
to the means to be authenticated In advance based on a 
management table^ etc. cLnd executes the specified 
processing. 

In the above -explained conventional system, however, 
the authenticated side must hold the mutual 
authentication key data corresponding to all 
authenticating sides, so there Is a problem that the 
management load of the mutual authentication key data Is 
large . 

Further, In the above -explained conventional system. 
It Is necessary to specify the processing authorized to 
an authenticated side based on a management tcLble 
separately from the mutual authentication, so there Is 
the problem of a large load for preparation, mcuiagement, 
etc. of the management table. 

DISCIiOSURE SUMMARY OF THE INVENTION 

The present Invention Is performed considering the 
acGording above circumstances, and It has as Its object to 
provide a data processing method enabling reduction of a 
processing load of the authenticating meams when the 
authenticating means authenticates the mecuis to be 
authenticated, then executes processing authorized to the 
means to be authenticated, a program of the same and a 
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device o£ the same. 

To attain the above object, a data processing 
method o£ a £lrst Invention Is performed a data proces s ing 
method — providing — first — authentication — uoq — data — uocd — for 
authentication by mesuis to be authenticated and^o — the 
means — to bo authenticated when authenticating means , the 
authenticity means holding key dat a, the method including 

uses the key data designated — by the means fee be 

authenticated — holding — fehe — first — authentication — — data 
for encryption to generate second authentication use data, 
uses — the — second — authentication use — data — fee — authenticate 

with the means fee be authenticated, €»%d perfor ms 

processing — related — fee — fehe — key — data — conditional — ex% — fehe 
authentication — confirming — that — fehe — first — authentication 
use data and the — oecond authentication use data are — fehe 
same, — wherein — fehe — data — processing — method — ©a — fehe — first 

invention — has a first stop — e€ — generating — fehe first 

authentication use data by performing first encryption at 
the authenticating means using fehe — key data related to 
fehe— processing permitted to the means to be authenticated 
among processing relating to the authenticating means to 
generate first authenticating use data; and performing Lhe 
encryption, — and — a — second — step — ©# providing the first 
authentication use data generated — — fehe — first — stop — and 
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key designation data designating the key data uoed in the 
first — step — to the means to be authenticated — ; comparing 
the first authentication use data with second 
authentication use data; and executing the processing 
related to the key data in the authenticating means when 
the comparison determines that the first authentication 
use data and the second authentication use data are the 
same . 

Gnin the data processing method 4r£of the first 

invention, first, ia fefee first step, the first 

authentication use data is generated by — ^using the key 
data related to the processing permitted to the means to 
be authenticated aonong processing relating to the 
authenticating means for the encryption . 

Then, in the occond stop, — the first authentication 
use data gcnoratod in the first atop and key designation 
data designating the key data uood — in — the — first — stop 
jr gare provided to the means to be authenticated. 

The data processing method of the first invention, 
prefere^Dly, writes the first authentication use data and 
the key designation data in an integrated circuit used by 
the means to be authenticate d in the oocond otop . 

Further, the data processing method of the first 
invention, prefer£Q>ly, generates the first authentication 
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use data by— using the key data related to a function o£ 
the authenticating mecois permitted by the means to be 
authenticated or axi access to data held by the 
authenticating means • 

Further, in the data processing method o£ the first 
invention, preferedDly, has — a — third — step — by — which — the 
means to be authenticated provides the key designation 
data to the authenticating means, a — fourth — otcp by 
whic h and the authenticating means generates the second 
authentication use data by second encryptionw jrfeh — fehe 
predetermined — gonoration method by using the designated 
key data dooignatod by the key dooignation data rocoivod 
in tho third otcp, — a fifth step by which the moans — to bo 

authenticated authenticates by using the first 

authentication — lAse — data — and — fehe — authenticating — mQano 
authenticateo by using tho second authentication use data 
generated in — fehe — fourth — step, — and a — sixth — stop by which 
tho authenticating means — execut e s — procoooing — related — fee 
the key data in rooponao to an indication from tho moan o 
to be authenticated whon tho authenticating moans — judges 
that — fefee — first — auth e ntication — ttse — data — and — fehe — second 

authentication i»e data a*^e the oomo by fehe 

authentication in the fifth step further , 

A program of a second invention is a program 
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oxecutod — b yfor causing a data processing device to 

execute an authentication process between an 

authenticating means holding key data and a means to be 
authenticated, the authentication process including 

providing first authentication «se data uood ioa? 

authentication by moans — to bo authenticated to — the means 
to be authenticated when authenticating means holding key 
data — uses — the — key — data — designated — by — fehe — means — fee — be 
authenticated holding — fehe — first — authentication uoo — data 
for encryption to generate second authentication use data^ 
uses — the — second — authentication — use — data — fee — authenticate 

with the means fee be authenticated, ctnd perform s 

processing — related — fee — the — key — data — conditional — en — fehe 
authentication — confirming — that — fefee — first — authentication 
use — data — and — fehe — second authentication use — data are — fehe 
same, — fefee — program — has — a — first — step — &€ — generating — fefee 

firat authentication uee data by performing first 

encryption u sing fefee— key data related to fefee— processing 
permitted to the means to be authenticated among 
processing relating to the authenticating means to 

generate first authentication use data; ^ea? fefee 

encryption, — asd — a — second — step — e€ — ^providing the first 
authentication use data generated — in — fefee — first — step and 
key designation data designating the key data used in the 
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first — stop to the maana to be authenticated-s -; comparing 
the first authentication use data with second 
authentication use data; and executing the processing 
related to the key data in the authenticating means when 
the comparison determines that the first authentication 
use data and the second authentication use date are the 
same * 

A data processing device of a third invention is a 

data proGOQsing system providing provides first 

authentication use data used — £of — authentication by moans 
to b o authenticated to tho m eans to be authenticated when 
authenticating means holding key data uses -^he — key data 
designated by the means to be authenticated holding — the 
firot authentication uoo data for encryption to generate 
second authentication use data, uses the second 

authentication use data to authonticate in an 

authentication process with the means to be authenticated, 
and performs processing related to the key data when 
conditional — on — the — authentication — confirming — that the 
first authentication use data and the second 
authentication use data are the same, the data processing 
device including means to be authenticated; h ag — a — first 
means for generating the first authentication use data by 
encryption using the key data related to "the— processing 
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permitted to the means to be authenticated among 
processing relating to the authenticating means — fof — ^he 
oncryption / and a — oocond m eems for providing the first 
authentication use data gonoratcd in — fefee — first mcano and 
key designation data designating the key data used to 
generate the first authentication use dataj ^a — fefee — first 
moans to the means to be authenticated. 

GBrln the data processing device of the third 
invention, first, a first mecuis generates the first 
authentication use data by encryption u sing the key data 
related to the processing permitted to the mews to be 
authenticated among processing relating to the 
authenticating means for tho oncryption . 

Then, a second meauis provides the first 
authentication use data generated in the first means and 
key designation data designating the key data used to 
generate the first authentication use data in the first 

means to the means to be authenticated. 

( 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a view of the overall configuration of a 
communication system of an embodiment of the present 
invention. 

FIG. 2 is functional block diagram of a management 
device shown in FIG. 1. 
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FIG. 3 is a £low chart for explaining an outline o£ 
the processing step per£onned by the management device 
shown in FIG. 2. 

FIG. 4 is a view for explaining a card used in 
processing relating to an AP edit tool and management 
tool shown in FIG. 2. 

FIG. 5 is functional block diagram of an IC card 
shown in FIG. 1. 

FIG. 6 is a view for explaining data stored in a 
memory shown in FIG. 5. 

FIG. 7 is a view for explaining the software 
configuration of a SAM module shown in FIG. 1. 

FIG. 8 is a view for explaining the hardware 
configuration of the SAM module shown in FIG. 1 and a 
memory area of an external memory 7 • 

FIG. 9 is a view for explaining an AP memory area 
shown in FIG . 8 . 

FIG. 10 is a view for explaining application 
element data . 

FIG. 11 is a view for explaining the type of 
application element data APE. 

FIG. 12 is a flow chart for explaining preparation 
steps of an owner card and a user card. 

FIG. 13 is a view for explaining mutual 
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authentication key data. 

FIG. 14 is a view £or explaining a mutual 
authentication code. 

FIG. 15A and FIG.15B are views for explaining the 
relationship between the mutual authentication key data 
and service. 

FIG. 16 is a view £or explaining a method £or 
generating synthetic key data. 

FIG. 17 is a view for explaining another method of 
generation of synthetic key data. 

FIG. 18 is a view for explaining the hierarchy of 
encryption of synthetic key data. 

FIG. 19 is a view for explaining an exeunple of the 
features of synthetic key data. 

FIG. 20 is a view for explaining an example of a 
mode of use of the mutual authentication key data. 

FIG. 21 is a flow chart for explaining mutual 
authentication between a SAM management function portion 
of the management device shown in FIG. 1 cOid the SAM xinit. 

FIG. 22 is a flow chart for explaining mutual 
authentication between a SAM management fiinction portion 
of the management device shown in FIG. 1 and the SAM unit 
continuing from FIG. 21. 

FIG. 23 is a flow chart for explaining the 
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processing of the SAM unit. 

FIG. 24 is a view for explaining a screen used for 
issuing various types of cards relating to the management 
device explained by using FIG. 2 and FIG. 4. 

FIG. 25 is a view for explaining a screen for 
preparation of an owner card. 

FIG. 26 is a view for explaining a card request 
screen. 

FIG. 27 is a view for explaining a screen for 
preparation of a user card. 

FIG. 28 is a view for explaining a screen for 
preparation of an AP encryption card. 

FIG. 2 9 is a view for explaining a screen for 
preparation of a transport card. 

BEST MODE FOR WORKING gPHB INVBNTION D ETAILED 

DESCRIPTION 

Hereinafter, an explanation will be given of 
preferred embodiments by referring to the drawings. 

FIG. 1 is a view of the overall configuration of a 
communication system 1 of the present embodiment. 

As shown in FIG. 1, the commxinication system 1 uses 
a server apparatus 2 disposed in a store^ etc . , an IC 
card 3, a card reader/writer 4, a personal computer 5, an 
ASP (application service provider) server apparatus 19, 
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SAM (secure application module) units 9a, 9b, a 
management device 20, and a mobile communication device 
41 having a built-in IC module 42 to communicate via the 
Internet 10 and perform processing such as settlements 
using the IC card 3 or the mobile communication device 41. 

In the communication system 1, the management 
device 20 performs the processing relating to axi 
embodiment corresponding to the present invention. 

Namely, the mauiagement device 20 performs 

processing for issuing cards (for example, owner cards 
and user cards explained later) having built-in ICs 
(integrated circuits of the present invention) used for 
making the SAM units 9a and 9b perform predetermined 
processing authorized by a manager^r^ etc. Due to this, it 
provides data required for mutual authentication to the 
means to be authenticated. 

Further, the issued cards are used by the manager 
and the user and the management device 20 performs mutual 
authentication used between the SAM units 9a and 9b and 
makes the SAM units 9a smd 9b perform the authorized 
predetermined processing. 

In this case, the management device 20 becomes 

the meeuis to be authenticated of the present invention, 
and the SAM units 9a and 9b become the authenticating 
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means o£ the present invention. 

FIG* 2 is fxinctional block diagraun o£ the 
mauxagement device 2 0 • 

As shown in FIG. 2, the zaanagement device 20 haSj;_ 

for exaxEKple^ an AP edit tool 51, a management tool 52, a 
card reader/writer 53, a display 54, an I/F 55, said an 
operation xinit 56 • 

The AP edit tool 51 and the management tool 52 may 
be realized by the data processing device executing a 
program (corresponding to the program o£ the ninth aspect 
of the invention) and may be realized by an electronic 
circuit (hardware) • 

The management tool 52 has_^ for example^ a SAM 

management fiuiction portion 57 and a card management 
function portion 58. 

The card reader/writer 53 transfers data by a 
noncontact method or a contact method with ICs of various 
cards shown below. 

The display 54 is used for displaying a card 
issueoice screen and an AP management screen. 

The I/F 55 transfers data with the SAM xonits 9a cOid 
9b by the noncontact method or the contact method. 

The operation unit 56 is used for inputting 
instructions or data to the AP edit tool 51 and the 



management tool 52 • 

FIG. 3 is a flow chart for explaining an outline of 
the processing otop routine p erformed by the management 
device 20. 

Step STl: 

The management device 20 prepares an owner card 72 
in which predetermined data is stored using a default 
card 71 set in the card reader /writer 53 by the card 
meuiagement function portion 58 in response to an 
operation of the manager. 

Namely, the management device 20 encrypts the 
device key data explained later by using the mutual 
authentication key data (key data of the present 
invention) related to the processing authorized to the 
means to be authenticated using the owner card 72 ounong 
processings relating to the SAM units 9a and 9b 
(authenticating means of the present invention) by a 
predetermined encryption method (predetermined generation 
method of the present invention) and generates the 
synthetic key data (first authentication use data of the 
present invention) making the mutual authentication key 
data hard to restore. 

Where giving the user of the owner card 72 the 
authority to use all processing relating to the SAM units 
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9a and 9b, the synthetic key data is generated by using a 
plurality of the mutual authentication key data related 
to all the processing. 

Then, the zaanagement device 20 writes the generated 
synthetic key data €md the key designation data 
designating the mutual authentication key data used for 
the generation of the synthetic key data into the ICs 
(integrated circuits of the present invention) of the 
owner card 7 2 • 

Step ST2 : 

The management device 20 prepares an user card 73 
in which predetermined data is stored using the owner 
card 72 set in the card reader/ writer 53 by the card 
management function portion 58 in response to an 
operation of the manager • 

Namely, the management device 2 0 encrypts the 
device key data by using the mutual authentication key 
data related to the processing authorized to the means to 
be authenticated using the user card 73 among processings 
relating to the SAM units 9a and 9b by a predetermined 
encryption method (predetermined generation method of the 
present invention) and generates the synthetic key data 
(first authentication use data of the present invention) 
making the mutual authentication key data hard to restore. 
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When giving the authority to use a portion o£ the 
processing which the user of the owner card 72 has 
selected among all the processing relating to the SAM 
units 9a and 9b to the user of the user card 73, the 
synthetic key data Is generated by using a single or a 
plurality of the mutual authentication key data related 
to a portion of the p rocessing selected. 

Then, the management device 20 writes the generated 
synthetic key data axid the key designation data 
designating the mutual authentication key data used for 
the generation of the synthetic key data Into the ICs 
(Integrated circuits of the present Invention) of the 
user card 73. 

Further, the management device 20 prepares the 
transport card 74 and the AP encryption card 7 5 In 
response to an operation of the manager uee duslng the 
owner card 72. 

Step ST3 : 

Here, the user of the owner card 72 or the user 
card 73 makes the SAM units 9 a and 9b perform the 
processing the authority of which was given to the user 
via the management device 20 by using these cards. 

In this case, the user makes the card 

reader/writer 53 of the management device 20 read and 
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fetch the key designation data stored in the IC of the 
owner card 72 or the user card 73. 

The SAM management fxinctlon portion 57 of the 

mcuiagement device 20 outputs the read key designation 
data to the SAM xinits 9a suid 9b. 

Then, the SAM xinits 9a and 9b use the mutual 
authentication key data designated by the key designation 
data to encrypt the device key data by a predetermined 
encryption method and generate synthetic key data (second 
authentication use data of the present invention) • 

Then, the SAM management function portion 57 uses 
the synthetic key data read out from the card 72 or the 
card 73 for authentication, while the SAM units 9a and 9b 
use the generated synthetic key data for authentication. 

Then, when the authentication decides that the SAM 
management f\mction portion 57 and the SAM xinits 9a and 
9b hold the same synthetic key data, the SAM units 9a and 
9b execute processing related to one or more mutual 
authentication key data used for generating the synthetic 
key data in response to an instruction from the 
management device 20. 

FIG. 4 is a view for explaining cards used in the 
processing relating to the AP edit tool 51 and the 
mcuiagement tool 52 shown in FIG. 2. 



As shown in FIG. 4, when using the management tool 
52 of the management device 20 to access the SAM units 9a 
and 9b, the owner card 72 and the user card 73 are used. 

Further, when providing an AP package file 
generated by the AP edit tool 51 to the management tool 
52, the AP package file is encrypted using the encryption 
key data stored in the IC of the AP encryption card 75. 

Namely, as shown in FIG. 4, the user prepares the 

application element data APE configuring the application 
program AP in the SAM module 8 by using the AP edit tool 
51. 

Then, the AP edit tool 51 prepares an AP package 

file including one or more application element data APE, 
encrypts this by using the encryption key data stored in 
the AP encryption card 75, and provides this to the 
management tool 52 . 

The management tool 52 performs mutual 
authentication with the SAM xinits 9a and 9b as explained 
cdDove and writes the AP package file received from the AP 
edit tool 51 to the AP memory areas in the SAM units 9a 
and 9b authorized relating to the mutual authentication 
key data used for the mutual authentication. 

Further, the trainsport card 74 is used for 
extracting data relating to the security of key data^ etc. 
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held by the SAM \inits 9a and 9b, trcuisferrlng the same to 
another apparatus, and storing the same. 

[IC Card 3 and Mobile Commionication Device 41] 

FIG. 5 is functional block diagram of the IC card 3. 

As shown in FIG. 5, the IC card 3 has axi IC 

(integrated circuit) module 3a provided with a memory 50 
and a CPU 51. 

The memory 50 has, as shown in FIG. 6, a memory 
area 55_1 used by a service business 15_1 such as a 
credit card company, a memory area 55_2 used by a service 
business 15_2, and a memory area 55_3 used by a service 
business 15_3 . 

Further, the memory 50 stores the key data used for 
deciding the access right to the memory area 55_1, the 
key data used for deciding the access right to the memory 
area 55_2, and the key data used for deciding the access 
right to the memory area 55_3 • The key data is used for 
the mutual authentication, the encryption and decryption, 
etc. of the data. 

Further, the memory 50 stores identification data 

of the IC card 3 or the user of the IC card 3 • 

The mobile commxmication device 41 has a 
communication processing unit 43 for communication with 
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ASP server apparatuses 19a and 19b via a mobile phone 
network and the Internet 10 and an IC module 42 able to 
transfer data with the comm\uiication processing iinit 43 
and communicates with the SAM unit 9a from an antenna via 
the Internet • 

The IC module 42 has the same functions as those of 
the IC module 3a of the IC card explained above except 
for the point of treuisf erring data with the communication 
processing unit 43 of the mobile communication device 41. 

Note that the processing using the mobile 
communication device 41 is carried out in the same way as 
the processing using the IC card 3, while the processing 
using the IC module 42 is carried out in the same way as 
the processing using the IC module 3a. Therefore, in the 
following explanation, the processing using the IC card 3 
and the IC module 3a will be exemplified. 

Below, an explanation will be given of the SAM 
units 9a and 9b. 

As shown in FIG. 1, the SAM units 9a and 9b have 
external memories 7 and SAM modules 8. 

Here, the SAM module 8 may be realized as a 

semiconductor circuit or may be realized as a device 
accommodating a plurality of circuits in a housing. 



[Software Configuration of SAM Module 8] 

The SAM module 8 has the software configuration as 
shown in FIG. 7. 

As shown in PIQ. 7, the SAM module 8 has, from 

the bottom layer to the top layer, a hardware HW layer, a 
driver layer (OS layer) including an RTOS kernel^ etc. 
corresponding to the peripheral HW, a lower heuidler layer 
for performing processing in logically composed units, an 
upper handler layer combining application- specif ic 
libraries, and an AP layer in that order. 

Here, in the AP layer, the application programs 
AP_1, AP_2, amd AP_3 prescribing procedures by the 
service businesses 15_1, 15_2, and 15_3 such as the 
credit card company shown in FIG. 1 using the IC cards 3 
are read out from the external memory 7 and r\in. 

In the AP layer, firewalls FW are provided 

between the application programs AP_1, AP_2, and AP_3 euid 
between them and the upper handler layer. 

[Hardware Configuration of SAM Module 8] 

FIG. 8 is a view for explaining the hardware 
configuration of the SAM module 8 and the memory area of 
the external memory 7 • 
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As shown In FIG. 8, the SAM module 8 has^^^ for 
example^ a memory I/F 61/ an external I/F 62, a memory 63, 
an authentication unit 64, and a CPU 65 connected via a 
bus 6 0 . 

The memory I/F 61 trauxsfers data with the external 
memory 7 . 

The external I/F 62 transfers data and commands 
with the ASP server apparatuses 19a and 19b and the 
mauiagement device 20 shown in FIG. 1. 

The memory 63 stores various key data^ etc. used 
for the mutual authentication^ etc. of the SAM units 9a 
and 9b explained later. The key data may be stored in the 
AP management use memory area 221 of the external memory 
7 as well. 

The authentication unit 64 performs the processing 
relating to the mutual authentication explained later. 
The authentication unit 64 performs^ for example^ 
encryption and decryption using predetermined key data. 

The CPU 65 centrally controls the processing of the 
SAM module 8 . 

When confirming that the means to be 

authenticated is a legitimate party by the mutual 
authentication, the CPU 65 authorizes the processing 
related to the mutual authentication key data explained 
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later to the means to be authenticated and executes this 
as will be explained later. 

A detailed explanation will be given below of the 
mutual authentication processing by the SAM module 8 • 

[External Memory 7] 

As shown in FIG. 8, the memory area o£ the external 
memory 7 includes an AP memory area 220_1 (service AP 
resource area) for storing the application progreun AP_1 
of the service business 15_1, an AP memory area 220_2 for 
storing the application program AP_2 of the service 
business 15_2, an AP memory area 220_3 for storing the 
application program AP_^3 of the service business 15_3, 
and an AP management use memory area 221 (system AP 
resource area and laanuf acturer AP resource area) used by 
the manager of the SAM module 208. 

The application program AP_1 stored in the AP 
memory area 220_1 includes a plurality of application 
element data APE (data modules of the present invention) 
explained later as shown in FIG. 9. The access to the AP 
memory area 22 0_1 is restricted by a firewall FW_1. 

The application program AP_2 stored in the AP 
memory area 220_2 includes a plurality of application 
element data APE as shown in FIG. 9. The access to the AP 
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memory area 220_2 Is restricted by a firewall FW_2« 

The application program AP_3 stored in the AP 
memory area 22 0_3 includes a plurality o£ application 
element data APE as shown in FIG. 9. The access to the AP 
memory area 220_3 is restricted by a firewall FW_3 
(illustrated in FIG. 8) . 

In the present embodiment, the application element 
data APE is the minimum \init downloaded from the outside 
of^ for example^ the SAM unit 9a into the external memory 
7 . The niunber of the application element data APE 
composing each application progrcun can be freely 
determined by the corresponding service business. 

Further, the application programs AP_1, AP_2, and 
AP_3 are prepared^r, for example^ by service businesses 
16_1/ 16_2, and 16_3 by using the personal computers 15_1/ 
15_2, and 15_3 shown in FIG. 1 and downloaded to the 
external memory 7 via the SAM mob i 1 o modul e 8 • 

Note that the program and the data stored in the AP 
management use memory area 221 are also composed by using 
the application element data APE. 

FIG. 10 is a view for explaining the application 
element data APE. 

The application element data APE is composed by 

using the instance prescribed according to the APE type 
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indicating the classification prescribed based on the 
attribute (type) of the APE as shown in FIG. 10. 

Each instsuice is prescribed according to an element 
ID, an element property, and an element version. 

It io T he APE type prescribeds based on tho APE typo 
in which of the service AP memory areas 220_1, 220_2, and 
22 0_3 auid the AP msuiagement use memory area 221 the 
application element data APE is stored. 

The service AP memory area 220_1 stores the data 
which can be accessed by each service business. 

Note that the AP management use memory area 221 has 
a system AP memory area for storing the data which can be 
accessed by the manager of the system and a manufacturer 
AP memory area for storing the data which can be accessed 
by the manufacturer of the system. 

Further, the AP memory area is composed by the 
service AP memory areas 220_1, 220_2, and 220_3 and the 
AP management use memory area 221. 

_I.zi the present embodiment, an ID (AP memory area 

ID) is assigned to each of the service AP memory areas 
22 0_1, 220_2, and 220_3 and the AP mcuiagement use memory 
area 221, and an identification use number (APE type 
znunber, instsince number, and element version number) is 
assigned to each of the APE type, the instance, and the 
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element version. 

FIG* 11 is a view £or explaining an example of the 
APE type • 

As shown in FIG. 11, the APE type includes IC 

system key data, IC area key data, IC service key data, 
IC synthetic key data, IC key chsoige package, IC issuance 
key package, IC EXPANSIO N expansion issuance key package, 
IC area registration key package, IC area deletion key 
package, IC service registration key package, IC service 
deletion key package, IC memory division key package, IC 
memory division element key package, obstacle recording 
file, mutual authentication use key, package key, 
negative list, and service data temporary file. 
The APE type n\unber is assigned to each APE type. 

Below, an explanation will be given of part of the 
APE type shown in FIG. 1. 

The IC system key data, the IC area key data, the 
IC service key data, and the IC synthetic key data are 
card access key data used for the read/write operation of 
data with respect to the memories 50 of the IC card 3 and 
the IC module 42. 

The mutual authentication use key data is also used 
for the mutual authentication between APs existing in the 
same SAM. The SAM mutual authentication use key data 
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means the key data used when accessing the corresponding 
application element data APE from another AP in the same 
SAM or another SAM. 

The IC memory division use key package is the data 
used for dividing the memory area of the external memory 
7 and the memory of the IC card 3 before the start of 
provision of service using the IC card 3 by the service 
business • 

The IC area registration key package is the data 
used at the time of area registration in the memory area 
of the memory of the IC card 3 before starting provision 
of service using the IC card 3 by the service business. 

The IC area deletion key package is a package able 
to be automatically generated from the card access key 
data inside the SAM. 

The IC service registration use key package is used 
for registering the application element data APE of the 
external memory 7 before the start of the provision of 
the service using the IC card 3 by the service business. 

The IC server deletion key package is used for 
deleting application element data APE registered in the 
external memory 7 . 

[Preparation of Owner Card 72 and User Card 73] 
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FIG. 12 is a £low chart £or explaining steps for 
preparation of the owner card 72 and the user card 73. 

FIG. 12 shows details of steps STl axid ST2 shown 

in FIG. 3 . 

Step STll: 

For example, when the manager prepares the owner 
card 72, it selects the processing relating to the SAM 
xinits 9a and 9b authorized to the user of the owner card 
72. 

_Further, when the manager^ etc. prepares the user 

card 73, it selects the processing relating to the SAM 
units 9a and 9b authorized to the user of the user card 
73. 

The processing relating to the SAM iinits 9a and 

9b includes^ for example^r^ the processing for executing 
the functions provided by the SAM units 9a and 9b or the 
access to the data held by the SAM units 9a and 9b (for 
example^ the application element data APE) • 
Step ST12: 

The managerjr^ etc. selects the mutual authentication 
key data related to the processing selected at step STll 
and inputs or designates the same to the card mauiagement 
function portion 58 of the management device 20. 
The mutual authentication key data will be 
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explained in detail later. 
Step ST13: 

The card management function portion 58 of the 
management device 20 uses one or more mutual 
authentication key data selected at step ST12 to generate 
the synthetic key data based on the degradation 
processing method (the predetermined generation method of 
the present invention) explained later. 

The degradation processing will be explained in 

detail later. 

Step ST14: 

The card mauiagement function portion 58 of the 
management device 2 0 generates the key designation data 
indicating the mutual authentication code for identifying 
the mutual authentication key data used for generating 
the synthetic key data at step ST13 • 

The key designation data becomes data indicating 

the right of execution of the processing relating to the 
SAM \inits 9a and 9b acquired by the user of the owner 
card 72 or the user card 73. 
Step ST15: 

The card management function portion 58 of the 
management device 20 writes the synthetic key data 
generated at step ST13 auid the key desigrnation data 



generated at step ST14 into the IC o£ the owner card 72 
or the user card 73 • 
Step ST16: 

The card management function portion 58 of the 
management device 20 registers the mutual authentication 
key data used for generating the synthetic key data of 
step ST13 into the SAM units 9a suid 9b. 

Below, an explcuiation will be given of the mutual 
authentication key data covered by the selection at step 
ST12 shown in FIG. 12 explained above. 

FIG. 13 is a view for explaining the mutual 
authentication key data covered by the selection at step 
ST12 shown in FIG. 12. 

As shown in FIG. 13, the mutual authentication key 
data includesjr^ for example^ device key data, termination 
key data, manufacturer setting service mutual 
authentication key data, hardware management service 
mutual authentication key data, communication management 
service mutual authentication key data, mutual 
authentication service mutual authentication key data, AP 
memory area management service mutual authentication key 
data, service AP memory area mutual authentication key 
data, system AP memory area mutual authentication key 
data, and memufacturer AP memory area mutual 



authentication key data. 

Further, as shown in FIG. 13 and FIG. 14, the 
mutual authentication code o£ the mutual authentication 
key data includes, as shown in FIG. 14, axi AP memory area 
ID, an element type number, an element instance number, 
coid an element version nxomber explained by using FIG. 10. 

Below, €ui explanation will be given o£ the key 
designation data generated at step ST14 shown in FIG. 12 
explained above. 

^_The key designation data is a mutual 

authentication code list composed by using the mutual 
authentication codes of a plurality of mutual 
authentication key data. 

FIG. 15A €uid FIG.15B are views for explaining an 
example of the key designation data. 

At step ST12 of FIG. 12, when^ for example^ the 
device key data, the hardware management service mutual 
authentication key data, the coxmnxmication management 
service mutual authentication key data, the AP memory 
area management service mutual authentication key data, 
the service AP memory area mutual authentication key data, 
and the termination key data shown in FIG. 13 are 
selected, as shown in FIG. 15A, key designation data 
indicating the mutual authentication codes of all 
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selected mutual authentication key data Is generated. 

At step ST13 shown in FIG. 12, when the synthetic 
key data is generated by using the mutual authentication 
key data o£ the mutual authentication codes shown in FIG. 
ISA, the mutual authentication with the SAM units 9a and 
9b using the synthetic key data authorizes the management 
device 20, as shown in FIG. 15B, to access the hardware 
management service, the communication management service, 
the IC service (service concerning the IC card 3 and the 
IC module 421) , the mutual authentication service, and 
the AP memory area mauiagement service. 

In this way, in the present embodiment, the 
synthetic key data can be generated by using the 
£\inctions of the SAM xinits 9a and 9b and the mutual 
authentication key data related to a plurality of 
processing including the access to the data held by the 
SAM xinits 9a and 9b (for example^ the application element 
data APE) . 

Due to this, the mutual authentication using a 
single synthetic key data enables the SAM units 9a and 9b 
to collectively judge whether or not both of the 
functions of the SAM units 9a and 9b and the access to 
the data held by the SAM xinits 9a suid 9b are authorized 
to the mesuis to be authenticated. 



Then, the SAM \inits 9a amd 9b execute the 
processings relating to the predetermined functions 
related to the mutual authentication key data and 
authorize access to the data held by the SAM units 9a and 
9b from the means to be authenticated in response to an 
instruction of the means to be authenticated when 
authenticating that the means to be authenticated is 
legitimate. 

Below, an explauiation will be given of the 
degradation processing method of step ST13 shown in FIG. 
12. 

FIG. 16 is a flow chart for explaining the 
degradation processing method. 
Step ST21: 

The card meoiagement function portion 58 of the 
management device 20 uses the device key data as a 
message, uses the first of the mutual authentication key 
data other than the device key data and termination key 
data selected at step ST12 shown in FIG. 12 as the 
encryption key, euid encrypts the device key data to 
generate intermediate key data. 

Here, when the number of the mutual authentication 
key data other than the device key data and the 
termination key data selected at step ST12 is one, the 
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card management function portion 58 performs the 
processing of the following step ST22 by using the 
intermediate key data. 

On the other hand, when the nxxmber of the mutual 
authentication key data other than the device key data 
and the termination key data selected at step ST12 is two 
or more, the card management function portion 58 uses the 
intermediate key data as the message and uses the next 
mutual authentication key data as the encryption key to 
perform the encryption. 

The card management fxinction portion 58 uses all 
mutual authentication key data other than the device key 
data and the termination key data selected at step ST12 
as the encryption key said repeats the eibove processings 
until the above encryption is carried out. When it ends, 
it proceeds to the processing of step ST22. 

Step ST22: 

The card mauiagement function portion 58 uses the 
intermediate key data obtained at step ST21 as the 
message and uses the termination key data as the 
encryption key to perform the encryption to generate the 
synthetic key data. 

The termination key data is tamper -proofing key 
data and is held only by the manager. 
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Due to this, it is possible to prevent a party 

other them the manager from illegitimately tampering with 
the synthetic key data. 

Below, an explanation will be given o£ a case of 
generating synthetic key data by a predetermined 
degradation processing method using the owner termination 
key data owned by only the manager (owner) and the user 
termination key data owned by the user given a right from 
the manager as the termination key data. 

FIG. 17 is a flow chart for explaining the 
degradation processing method. 

In FIG. 17, the processings of steps ST31 and 

ST32 are the Seune as the processings of steps ST21 and 
ST22 explained by using FIG. 16 except for the point of 
using the owner termination key data as the termination 
key data. 

The synthetic key data generated at step ST32 is 
the synthetic key data which can be expanded in the sense 
that the users given the user termination key data caix be 
increased. 

Step ST33: 

The card management function portion 58 of the 
management device 20 uses the expandable synthetic key 
data generated by the owner as the message and uses the 



first of the mutual authentication key data other than 
the user termination key data selected by the user as the 
encryption key to encrypt the device key data to generate 
the intermediate key data. 

Here, when the number of the mutual authentication 
key data other than the selected user termination key 
data is one, the card mamagement function portion 58 
performs the processing of the following step ST22 using 
the intermediate key data. 

On the other hcuid, when the number of the mutual 
authentication key data other thaoi the. selected user 
termination key data is two or more, the card management 
fiinction portion 58 performs the encryption by using the 
intermediate key data as the message and using the next 
mutual authentication key data as the encryption key. 

The card meuiagement fiinction \uiit 58 repeats the 
above processings until using all mutual authentication 
key data other thaui the selected termination key data as 
the encryption key for the encryption and proceeds to the 
processing of step ST34 when finishing. 

Step ST34: 

The card management function unit 58 uses the 
intermediate key data obtained at step ST33 as the 
message cuid uses the user termination key data as the 
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encryption key to perform encryption to generate the 
synthetic key data. 

The user termination key data is the tamper - 
proofing key data cuid is held by only the owner and the 
user. 

Due to this, illegitimate tampering with the 

synthetic key data by a party other thau:i the owner and 
the user can be prevented. 

The synthetic key data generated by the processing 
shown in FIG. 17 includes the mutual authentication key 
encrypted by the hierarchy as shown in FIG. 18. 

Further, in the present embodiment, it is also 
possible to link a plurality of application element data 
APE to single mutual authentication key data (for example^ 
service, system, and manufacturer AP memory area mutual 
authentication key data shown in FIG. 13) • 

Due to this, the authentication using the 

synthetic key data enables the SAM units 9a and 9b to 
collectively judge whether or not access to the 
application element data APE related to the single mutual 
authentication key data is authorized. 

For example, in FIG. 19, eui authorization C of an 
insteuice a of the application element data APE and an 
authorization B of an instance b are linked with mutual 
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authentication key data 500. For this reason, if the 
authentication using the synthetic key data degrading the 
mutual authentication key data 500 succeeds, the SAM 
\mits 9a and 9b authorize access to both of the instances 
a cuid b. 

Further, in the present embodiment, it is also 
possible to use a pair of on-line key data MKl and off- 
line key data MK2 as shown in FIG. 20 for all or part of 
the mutual authentication key data explained by using FIG. 
13. 

In this case, at the time of the mutual 
authentication, use is made of the on-line key data MKl, 
while when transferring data with the other party in the 
mutual authentication, the data to be transferred is 
encrypted by using the off-line key data MK2 
corresponding to that • 

Due to this, even if the on-line key data MKl is 

illegitimately acquired by another party, since the data 
transferred between the means to be authenticated and the 
authenticating means is encrypted by the off-line key 
data MK2, illegitimate leakage of the information to the 
outside Ccui be prevented. 

Below, an explauiation will be given of the mutual 
authentication between the SAM management function 
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portion 57 o£ the management device 20 and the SAM xinits 
9a and 9b performed at step ST3^ etc. shown in FIG. 3. 

In this case, the management device 20 becomes 

the means to be authenticated, and the SAM xinits 9a and 
9b become the authenticating mesuis. 

FIG. 21 and FIG. 22 are flow charts for e^laining 
the mutual authentication between the SAM management 
function unit 57 of the management device 20 and the SAM 
\init 9a. 

The SAM unit 9b is the same as the case of the 

SAM unit 9a shown below. 
Step ST51: 

First, the manager or user sets the owner card 72 
or the user card 73 in the card reader/writer 53. 

Then, the synthetic key data Ka (the first 

authentication use data of the present invention) and the 
key designation data stored in the owner card 72 and the 
user card 73 are read into the SAM management function 
unit 57 of the management device 20. 

The SAM management fame t ion unit 57 generates a 

random number Ra. 
Step ST52 : 

The SAM management function unit 57 encrypts the 
random number Ra generated at step ST51 by an encryption 
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algorithm 1 by using the synthetic key data Ka read at 
step ST51 to generate the data Ra' • 
Step ST53: 

The SAM xaanagement function unit 57 outputs the key 
designation data read at step ST51 and the data Ra' 
generated at step ST52 to the SAM unit 9a. 

The SAM unit 9a receives as input the key 

desicfnation data and the data Ra' via the external 1/F 62 
shown in FIG. 8 and stores this in the memory 63. 
Step ST54: 

The authentication unit 64 o£ the SAM unit 9a 
specifies the mutual authentication key data indicated by 
the key designation data input at step ST53 from among 
the mutual authentication key data stored in the memory 
63 or the external memory 7. 

Step ST55: 

The authentication \mit 64 of the SAM \init 9a uses 
the mutual authentication key data specified at step ST54 
to perform the degradation processing explained using FIG. 
16 or FIG. 17 to generate the synthetic key data Kb. 

Step ST56: 

The authentication \init 64 of the SAM unit 9a uses 
the synthetic key data Kb generated at step ST55 to 
decrypt the data Ra' input at step ST53 with a decryption 



algorithm 1 corresponding to the encryption algorithm 1 
to generate the random niamber Ra. 
Step ST57: 

The authentication \init 64 o£ the SAM unit 9a uses 
the synthetic key data Kb to encrypt the rauidom number Ra 
generated at step ST56 with an encryption algorithm 2 to 
generate data Ra" • 

Step ST58: 

The authentication unit 64 of the SAM unit 9a 
generates a raindom number Rb. 
Step ST59: 

The authentication unit 64 of the SAM unit 9a uses 
the synthetic key data Kb to generate data Rb' • 
Step ST60: 

The authentication unit 64 of the SAM unit 9a 
outputs the data Ra" generated at step ST57 and the data 
Rb' generated at step ST59 to the meuiagement device 20. 

Step ST61: ^ 

The SAM management function unit 57 of the 
management device 20 uses the synthetic key data Ka to 
decrypt the data Ra" and Rb' input at step ST60 by the 
decryption algorithm 2 corresponding to the encryption 
algorithm 2 to generate data Ra and Rb. 

Step ST62: 



The SAM management function unit 57 of the 
management device 20 compares the random number Ra 
generated at step ST51 axid the data Ra generated at step 
ST61. 

Then^ when the result is the same ^tain the above 

comparison, the SAM mauiagement function unit 57 
authenticates that the synthetic key data Kb held by the 
SAM unit 9a is the same as the synthetic key data Ka held 
by the SAM management function unit 57 and the SAM imit 
9a is a legitimate authenticating meauis. 
Step ST63: 

The SAM management function unit 57 of the 
management device 20 uses the synthetic key data Ka to 
encrypt the data Rb generated at step ST61 by the 
encryption algorithm 1 to generate the data Rb" • 

Step ST64 : 

The SAM management function unit 57 of the 
meuiagement device 20 outputs the data Rb" generated at 
step ST 63 to the SAM unit 9a. 

Step ST65: 

The authentication unit 64 of the SAM xmit 9a uses 
the synthetic key data Kb to decrypt the data Rb" input 
at step ST64 by the decryption algorithm 1 to generate 
the data Rb« 



step ST66: 

The authentication unit 64 o£ the SAM unit 9a 
conqpares the random number Rb generated at step ST58 and 
the data Rb generated at step ST65. 

Then/ when the saone result as that in the above 

comparison is shown, the authentication unit 64 
authenticates that the synthetic key data Kb held by the 
SAM unit 9a is the Scune as the synthetic key data Ka held 
by the SAM management £\inction xinit 57 and the SAM 
management fxmction unit 57 is a legitimate meams to be 
authenticated • 

Below, am explanation will be given o£ the 
processings performed by the SAM units 9a amd 9b based on 
the results o£ the mutual authentication explained by 
using FIG. 21 and FIG. 22. 

FIG. 23 is a view £or explaining the processings o£ 
the SAM units 9a and 9b. 

Step ST71: 

The CPUs 65 o£ the SAM xinits 9a and 9b shown in FIG. 
8 judge whether or not the authentication unit 64 
authenticated that the authenticating means was 
legitimate at step ST66 shown in FIG. 22. When deciding 
it aeis legitimate, they proceed to the processing o£ 
step ST72, while when deciding it is not, they end the 
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processing (that is, they judge that the authenticating 
means does not have any right relating to the processing 
and do not execute the processing) • 
Step ST72 : 

The CPUs 65 of the SAM iinlts 9a €uid 9b execute the 
processings relating to the mutual authentication key 
data specified at step ST54 shown In FIG. 21. Due to this, 
the predetermined service required by the means to be 
authenticated Is provided. Namely, the SAM units 9a and 
9b judge that the meeuis to be authenticated has the 
predetermined right and execute the processing authorized 
for the right • 

Below, an explanation will be given of the screens 
used for Issuing various types of cards In relation to 
the management device 20 explained by using FIG. 2 cuid 
FIG. 4. 

When the manager^ etc. operates the operation unit 
56 shown In FIG. 2 to Instruct display of the operation 
screen of the management tool 52, for example, as shown 
In FIG. 24, a SAM management screen 750 Is displayed on 
the display 54. 

The SAM mauiagement screen 750 displays an Image 

751 for Instructing the preparation of a management tool 
use card at the tool bar. 
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Further^ the SAM xoanagement screen 750 displays 

an Image 752 Indicating the network configuration of the 
SAM connected to the SAM network. 

When the user designates the ocrQo n image 751 on the 
SAM management screen 750 by^ for example^ a mouse of the 
operation unit 56, an Image 753 Is displayed. 

— = As the Izoage 753, Images Indicating the 

preparation of the owner card, the preparation of the 
user card, the preparation of the AP encryption card, cuid 
the preparation of the transport card are displayed. 

Below, an explanation will be given of a screen for 
whon — Instructing preparation of the cards Indicated In 
the Image 7 5^3^ • 

First, an explamatlon will be given of the screen 
for preparing an owner card. 

When the manager Instructs the preparation of an 
owner card on the Image 751 shown In FIG. 24 by a mouse, 
the card management fiinctlon unit 58 shown In FIG. 2 
displays an owner card preparation screen 7 60 shown In 
FIG. 25 on the display 54. 

The owner card preparation screen 760 displays a 
used service selection Image 761, a service AP memory 
area designation Image 762, a system AP area designation 
Image 763, a device/ termination key designation Image 764, 
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and a designation decision instruction image 765. 

The used service selection image 761 is an image 
for selecting^ £or example^ the content of the service 
authorized to the owner card 72 to be prepared. 

The service AP memory area designation image 762 is 
an image for selecting the format authorized for access 
to the service AP memory area using the owner card 72 to 
be prepared. 

The system AP memory area designation image 763 is 
an image for selecting the format authorized for access 
to the system AP memory area using the owner card 72 to 
be prepared. 

The device/ termination key designation image 764 is 
an image for designating the device key data aind the 
termination key data used for preparing the owner card 72. 

The designation decision instruction image 765 is 
an image for inputting instructions for deciding the 
designated content. 

When finishing designation of required items on the 
owner card preparation screen 760, the manager designates 
the designation decision instruction image 765 by the 
mouse^ etc. 

Due to this, the card set instruction screen 7^70 
shown in FIG. 26 is displayed on the display 54. 
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When preparing an owner card 72, the card set 
instruction screen 770 instructs to set the default card 
71. 

Then, the manager makes the card reader/writer 53 

read the data o£ the XC of the default card 71. 

When confirming the legitimacy of the default 

card 71, the SAM management function unit 57 selects the 
mutual authentication key data related to the service^^ 
etc • selected by the manager on the owner card 
preparation screen 760. The selection corresponds to the 
selection of step ST12 explained by using FIG. 12. 

Next, axi explauiation will be given of the screen 
for preparation of a user card. 

When the manager instructs the preparation of a 
user card on the screen image 751 shown in FIG. 24 by the 
mouse, the card management f\inction unit 58 shown in FIG. 
2 displays the user card preparation screen 780 shown in 
FIG. 27 on the display 54. 

The user card preparation screen 780 displays a 
used service selection image 781, a service AP memory 
area designation image 7 82, a system AP area designation 
image 783, a device/ termination key designation image 784, 
and a designation decision instruction image 785. 

The used service selection image 781 is an image 
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£or selecting the content of the service authorized to 
the prepared user card 73 • 

The service AP memory area designation image 782 is 
an image for selecting the format authorized for access 
to the service AP memory area using the prepared user 
card 73. 

The system AP memory area designation image 783 is 
an image for selecting the format authorized for access 
to the system AP memory area using the prepared user card 
73. 

The device/ termination key designation image 784 is 
an image for designating the device key data and the 
termination key data used for preparing the user card 73. 

The designation decision instruction image 785 is 
an image for inputting instructions for deciding the 
designated content. 

When finishing designating the required items on 
the owncr u ser card preparation screen 780, the manager 
designates the designation decision instruction image 785 
by the mouse and so on. 

Due to this, the card set instruction screen 770 

shown in FIG. 26 is displayed on the display 54. 

When preparing an ownor a user card 73, the card set 
instruction screen 770 instructs to set the owner card 72. 
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Then/ the manager makes the card reader /writer 53 

read the data of the IC of the owner card 72 . 

When confirming the legitimacy of the owner card 

72, the SAM management function \mit 57 selects the 
mutual authentication key data related to the service^ 
etc • selected by the manager on the user card preparation 
screen 780. The selection corresponds to the selection of 
step ST12 explained by using FIG. 12. 

Next, an explanation will be given of the screen 
for preparation of an AP encryption card. 

When the mauiager instructs the preparation of an AP 
encryption card on the image 751 shown in FIG. 24 by the 
mouse, the card management function \init 58 shown in FIG. 
2 displays the AP encryption card preparation screen 790 
shown in FIG. 28 on the display 54. 

The AP encryption card preparation screen 790 
displays a used service selection image 7 91, a service AP 
memory area designation image 792, a system AP area 
designation image 793, a device/ termination key 
designation image 794, and a designation decision 
instruction image 795. 

The used service selection image 791 is an image 
for selecting the content of the service authorized to^ 
for example^r^ the prepared AP encryption card 75. 
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The service AP memory area designation Image 792 is 
GUI image for selecting the format authorized for access 
to the service AP memory area using the prepared AP 
encryption card 75. 

The system AP memory area designation image 793 is 
an image for selecting the format for access to the 
system AP memory area using the prepared AP encryption 
card 75. 

The device/ termination key designation image 794 is 
an image for designating the device key data and the 
termination key data used for preparing the AP encryption 
card 75. 

The designation decision instruction image 795 is 
an image for inputting instructions for deciding the 
designated content. 

When finishing designating the required items on 
the AP encryption card preparation screen 790, the 
manager designates the designation decision instruction 
image 7 95 by the mouse^^^ etc. 

^_Due to this, the card set instruction screen 770 

shown in FIG. 26 is displayed on the display 54. 

When preparing the AP encryption card 75, the card 
set instruction screen 770 instructs^ for example^ to set 
the owner card 72 • 



Then, the mauiager makes the card reader/writer 53 

read the data of the IC of the owner card 72. 

When confirming the legitimacy of the owner card 

72, the SAM management f\inction xmit 57 selects the 
mutual authentication key data related to the service^ 
etc. selected by the manager on the AP encryption card 
preparation screen 790. The selection corresponds to the 
selection of step ST12 explained by using FZ6. 12. 

Next, an explanation will be given of the screen 
for preparation of a transport card. 

When the mwager instructs the preparation of a 
transport card on the image 751 shown in FIG. 24, the 
card management function unit 58 shown in FIG. 2 displays 
the trauisport card preparation screen 800 shown in FIG. 
2 9 on the display 54. 

The transport card preparation screen 800 displays 
an image for instructing the IP address of the SAM 
authorized for coverage of tramsport of data, the AP 
memory area, the APE type of the application element data 
APE, the instance niimber, and the version ntimber. 

The card management function unit 58 degrades the 
mutual authentication key data related to the data for 
which access is authorized in the memory areas of the SAM 
units 9a axid 9b based on the information designated on 
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the trcuisport card preparation screen 800 to generate the 
synthetic key data and writes this into the trsuisport 
card 74. 

As explained above, by the xncuiager^ etc. selecting 
functions and issuing various types of cards based on the 
screen f \inctionally showing processingsjr^ etc • provided by 
the SAM units 9a and 9b, the manager can issue cards 
having the rights matching its own intent without 
concretely indicating to the manager the mutual 
authentication key data^ etc. actually used in the 
processing. Due to this, leakage of information relating 
to the security of the SAM units 9a said 9b can be avoided. 

As explained above, the management device 20, as 
explained by using FIG. 12 and FIG. 16^ etc., uses a 
plurality of mutual authentication key data related to 
the processings relating to the SAM xinits 9a and 9b and 
the degradation processing to generate the synthetic key 
data. 

Then, the synthetic key data euid the key 
designation data for specifying the mutual authentication 
key data used for generating that are written in the 
owner card 72 and the user card 73. 

Further, by performing the mutual authentication 
shown using FIG. 21 to FIG. 23 between the management 
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device 20 using the owner card 72^ etc. and the SAM units 
9a and 9b, the SAM unit 9a generates the synthetic key 
data based on the key designation data received from the 
niouiageinent device 20. VHien the synthetic key data 
coincides with that held by the management device 20, it 
can confirm the legitimacy of the management device 20 
serving as the meeuis to be authenticated. 

Further, together with the confirmation, the 
processing related to the mutual authentication key data 
designated by the key designation data can be judged as 
processing authorized to the management device 20. 

Due to this, the SAM units 9a and 9b do not have 

to hold the mutual authentication key data corresponding 
to all authenticating means as in the conventional case 
and, in addition, do not have to msuiage the processing 
authorized to the meeuis to be authenticated in the 
management table either, so the processing load is 
reduced. 

The present invention is not limited to the above 
embodiment • 

In the present invention, it is also possible to 
store bio -information of the user of the card in the IC 
of cuiy of^ for exaxnple^ the owner card 72, the user card 
73, the trauisport card 74, and the AP encryption card 75^ 
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and have the SAM units 9a and 9b further use the bio- 
information stored in the card together with the mutual 
authentication so as to authenticate the legitimacy of 
the user. 

For example, in the above embodiment, the case 
where the SAM units 9 a and 9b performed the mutual 
authentication with the management device 20 was 
exemplified, but it is also possible if the SAM \mits 9a 
and 9b perform the authentication with means to be 
authenticated such as the ASP server apparatuses 19a and 
19b or amother SAM unit. In this case, the means to be 
authenticated holds the synthetic key data and the key 
designation data. 

Further, in the embodiment, the case where the 
owner card 72 and the user card 73 held the synthetic key 
data and the key designation data was exemplified, but it 
is also possible to make another mobile device^ etc. hold 
these data. 

INDUSTRIAL CAPABILITY 

The present invention Ceui be applied to a system 
for performing predetermined processing based on 
authentication results. 
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